1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
|
.\" $Id$
.TH SUDO 8
.SH NAME
sudo \- execute a command as the superuser
.SH SYNOPSIS
.B sudo
.B \-V
|
.B \-h
|
.B \-l
|
.B \-v
|
.B \-k
|
.B \-s
| [
.B \-b
]
[
.B \-p
prompt ]
.I command
.SH DESCRIPTION
.B sudo
allows a permitted user to execute a
.I command
as the superuser (real and effective uid and gid are set to 0 and root's
group as set in the passwd file respectively).
.sp
.B sudo
determines who is an authorized user by consulting the file
.I /etc/sudoers.
By giving
.B sudo
the
.I \-v
flag a user can update the time stamp without running a
.I command.
The password prompt itself will also time out if the password is
not entered with N minutes (again, this is defined at installation
time and defaults to 5 minutes).
.sp
If an unauthorized user executes sudo, mail will be sent from the user to
the local authorities (defined at installation time).
.sp
.B sudo
was designed to log via the 4.3 BSD syslog(3) facility but
can log to a file instead if so desired (or to both syslog and a file).
.sp
All preferences are defined at installation time and are derived from
the options.h and pathnames.h include files as well as as well as the
Makefile.
.SH OPTIONS
.B sudo
accepts the following command line options:
.IP \-V
The \-V (version) option causes
.B sudo
to print the version number and exit.
.IP \-l
The \-l (list) option will list out the allowed and forbidden commands
for the user on the current host. Note that Command Aliases are
currently not expanded.
.IP \-h
The \-h (help) option causes
.B sudo
to print the version of sudo and a usage message before exiting.
.IP \-v
If given the \-v (validate) option,
.B sudo
will update the user's timestamp file, prompting for a password if necessary.
This extends the
.B sudo
timeout to for another N minutes (where N is defined at installation time and
defaults to 5 minutes) but does not run a command.
.IP \-k
The \-k (kill) option to
.B sudo
removes the user's timestamp file, thus requiring a password the next time
.B sudo
is run. This option does not require and password and was added to
allow a user to revoke
.B sudo
permissions from a .logout file.
.IP \-b
The \-b (background) option tells
.B sudo
to run the given command in the background. Note that if you use the
\-b option you cannot use shell job control to manipulate the command.
.IP \-p
The \-p (prompt) option allows you to override the default password
prompt and use a custom one.
.IP \-s
The \-s (shell) option runs the shell specified by the
.I SHELL
environmental variable if it is set or the shell as specified in
.BR passwd (5).
.IP \-\-
The \-\- flag indicates that
.B sudo
should stop processing command line arguments. It is most useful
in conjunction with the -s flag.
.SH RETURN VALUES
.B sudo
quits with an exit value of 1 if there is a configuration/permission problem
or if
.B sudo
cannot execute the given command. In the latter case the error string is
printed to stdout via
.BR perror (3).
If
.B sudo
cannot
.BR stat (3)
one or more entries in the user's PATH the error is printed on stdout via
.BR perror (3).
(If the directory does not exist or if it is not really a directory, the
entry is ignored and no error is printed.) This should not happen under
normal circumstances. The most common reason for
.BR stat (3)
to return "permission denied" is if you are running an automounter and
one of the directories in your PATH is on a machine that is currently
unreachable.
.SH SECURITY NOTES
.B sudo
tries to be safe when executing external commands. To this end the
IFS, LD_*, SHLIB_PATH (HP\-UX only), LIBPATH (AIX only), and _RLD_*
(Digital UNIX only) environmental variables are removed from the
environment passed on to all commands executed.
.sp
To prevent command spoofing,
.B sudo
checks '.' and '' (both denoting current directory) last when searching for
a command in the user's PATH (if one or both are in the PATH).
Note, however, that the actual PATH environmental variable is
.I not
modified and is passed unchanged to the program that
.B sudo
executes.
.sp
For security reasons, if your OS supports shared libraries,
.B sudo
should always be statically linked unless the dynamic loader disables
user\-defined library search paths for setuid programs.
.sp
.B sudo
will check the ownership of its timestamp directory (/tmp/.odus by default)
and ignore the directory's contents if it is not owned by root
and only read, writable, and executable by root. On systems
that allow users to give files away to root (via chown) it
is possible for a user to create the timestamp directory before
.B sudo
is run. However, because
.B sudo
checks the ownership & mode of
the directory, the only damage that can be done is to "hide"
files by putting them in the timestamp dir. This is unlikely to happen
since once the timestamp dir is owned by root and inaccessible by any
other user the user placing files there would be unable to get them
back out. To get around this issue you can use a directory that
is not world-writable for the timestamps (/var/sudo for instance).
.sp
To keep users from creating their own timestamp files
(by creating the timestamp directory before
.B sudo
is first run and then using chmod and chown to set
the ownership and mode to a combination
.B sudo
will accept) with timestamps far in the future
.B sudo
will not honor any timestamp with a date greater than
current_time + 2 * TIMEOUT.
.SH FILES
.nf
/etc/sudoers file of authorized users.
.fi
.SH ENVIRONMENT VARIABLES
.nf
PATH Set to a sane value if SECURE_PATH is set
SHELL Used to determine shell to run with \-s option
SUDO_COMMAND Set to the command run by sudo
SUDO_USER Set to the login of the user who invoked sudo
SUDO_UID Set to the uid of the user who invoked sudo
SUDO_GID Set to the gid of the user who invoked sudo
.fi
.SH AUTHORS
Many people have worked on
.B sudo
over the years, this version consists of code written primarily by:
.nf
Jeff Nieusma <nieusma@FirstLink.com>
David Hieb <davehieb@internetone.com>
Todd Miller <Todd.Miller@cs.colorado.edu>
Chris Jepeway <jepeway@cs.utk.edu>
See the HISTORY file in the sudo distribution for more details.
.fi
.sp
Please send all bugs, comments, and changes to sudo\-bugs@cs.colorado.edu.
.SH BUGS
The \-l (list) option should expand Command Aliases.
.SH DISCLAIMER
This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
.sp
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
675 Mass Ave, Cambridge, MA 02139, USA.
.SH CAVEATS
There is no easy way to prevent a user from gaining a root shell if
that user has access to commands that are shell scripts or that
allow shell escapes.
.SH SEE ALSO
.BR sudoers (5),
.BR visudo (8),
.BR su (1)
|
